httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Denton <rob...@headsprout.com>
Subject Re: [users@httpd] MITM apache config settings?
Date Wed, 03 Jan 2007 22:14:15 GMT
Hm.  Well, I certainly see the logic in your explanation, however,  
the client claims to have encountered this before and is confident it  
is an apache config error.  I will look into the keepalive.  Would  
you agree with this statement:

"apache servers check to see if the the databits coming are coming  
through different subnets."

If the above statement is true, then what does apache do if it  
detects different subnets??

R


On Jan 3, 2007, at 4:45 PM, Sander Temme wrote:

>
> On Jan 3, 2007, at 11:51 AM, Robert Denton wrote:
>
>> Hi all,  I hope someone here can point me in the right direction.   
>> My apache server is dropping connections from a client that load  
>> balances between 2 ISPs. I have been told that this may be a  
>> result of some setting in the httpd.conf file that directs apache  
>> to drop connections when there is a sudden change in destination  
>> IP address.  Supposedly this is to help prevent man-in-the-middle  
>> attacks.  I am fairly familiar with the httpd.conf contents (or so  
>> I thought I was) and I cannot find anything in there related to  
>> this phenomenon.  Does anyone here have any idea what setting in  
>> the config may contribute to this behavior?  TIA.
>
> You mean the client-side IP address might change in mid- 
> transaction?  How would Apache learn of this when it occurs?  When  
> Apache receives a request from an IP address, it sends the response  
> back to that IP address and no others.
>
> The way you describe it, this sounds severely broken. Imagine:
>
> Client sends TCP handshake followed by request from IP 1, server  
> sends response back to IP 1; Client's connection changes, it sends  
> subsequent request over existing connection (or so it thinks) but  
> now the packets arrive from IP 2; Server (not even Apache, but the  
> underlying OS) sees mid-connections packets from IP 2 that were not  
> preceded by a TCP handshake, and sends an RST (or silently absorbs  
> depending on configuration, firewalls, etc.).  As I said, broken.
>
> If your client has an AS that may fail over to a different ISP,  
> it's a different story.  However, you should not even notice that  
> when it happens.
>
> I'd say reduce the KeepAlive timeout or turn off KeepAlive  
> alltogether to make sure Apache doesn't keep connections open  
> across such router flaps.  Or take the Clue bat to your client.
>
> S.
>
> -- 
> sctemme@apache.org            http://www.temme.net/sander/
> PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message